SSO user groups
SSO user groups are part of FSSO authentication and contain only Windows or Novell network users. No other user types are permitted as members. Information about the Windows or Novell user groups and the logon activities of their members is provided by the Fortinet Single Sign On (FSSO) which is installed on the network domain controllers.
You can specify FSSO user groups in security policies in the same way as you specify firewall user groups. FSSO user groups cannot have SSL VPN or dialup IPsec VPN access.
For information about configuring FSSO user groups, see Creating Fortinet Single Sign-On (FSSO) user groups on page 178. For complete information about installing and configuring FSSO, see Agent-based FSSO on page 142.
Configuring Peer user groups
Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. The peer groups you define here are used in dialup IPsec VPN configurations that accept RSA certificate authentication from members of a peer certificate group.
To create a peer group – CLI
config user peergrp edit vpn_peergrp1 set member pki_user1 pki_user2 pki_user3
end
Viewing, editing and deleting user groups
To view the list of FortiGate user groups, go to User & Device > User Groups.
Editing a user group
When editing a user group in the CLI you must set the type of group this will be — either a firewall group, a Fortinet Single Sign-On Service group (FSSO), a Radius based Single Sign-On Service group (RSSO), or a guest group. Once the type of group is set, and members are added you cannot change the group type without removing the members.
In the web-based manager, if you change the type of the group any members will be removed automatically.
To edit a user group – web-based manager
- Go to User & Device > User Groups.
- Select the user group that you want to edit.
- Select the Edit
- Modify the user group as needed.
- Select OK.
To edit a user group – CLI
This example adds user3 to Group1. Note that you must re-specify the full list of users:
config user group edit Group1 set group-type firewall set member user2 user4 user3
end
Deleting a user group
Before you delete a user group, you must ensure there are no objects referring to, it such as security policies. If there are, you must remove those references before you are able to delete the user group.
To remove a user group – web-based manager
- Go to User & Device > User Groups.
- Select the user group that you want to remove.
- Select the Delete
- Select OK.
To remove a user group – CLI
config user group delete Group2
end
SSL renegotiation in firewall authentication
The auth-ssl-allow-renegotiation option is available under config user setting to allow/forbid SSL renegotiation in firewall authentication. The default value is disable, where a session would be terminated by authd once renegotiation is detected and this login would be recorded as a failure. Other behavior follows regular authentication settings.
To enable SSL renegotiation – CLI
config user setting set auth-ssl-allow-renegotiation enable end
Hi Mike, One question: if I have LDAP Users and a remote Radius Group which will check first given an username and password? I’m not able to see If the order is defined somewhere
Thank you